How to communicate your firm's security strategy

Security professionals often lament the way they are perceived. But there's a reason for that. Here are seven communication failures that are common among security experts, and how you can effectively communicate your security strategy within a business.

7 common mistakes made by security pros

Email this to a friend

Characters remaining:

What is A + B?

For many years, we've heard security professionals lament the way they are perceived. Terms such as 'the place where good ideas go to die' and 'the department of no' weren't uncommon just a few years ago when referring to the security function.

But that is changing - slowly, according to many security leaders. Still, as risk mitigation efforts, and the people behind them, get a better rep, challenges still exist when it comes to conveying security's message to company leadership, and staff users as well.

PC Advisor's sister site CSO spoke with three IT security veterans to learn what effective communication looks like in an organisation where security lives in harmony with the rest of the company. Here they tell us what not to do if you want to get everyone on board with what you're trying to accomplish.

Mistake 1: Failing to convey security's vision

Lorna Koppel, director of IT security with manufacturing firm Kohler Company, has been in security for decades. After some time in the military, and a degree in atmospheric sciences, she found herself increasingly interested in IT security as the world became more computerised.

"Things were so much simpler then. The threats were not as complex and as targeted," she recalled. "Now our jobs are more complicated because we have to still deal with all the noise and threats that are automated, but we also need to be prepared for the more complex and advanced methodology."

For Koppel and her team these days, that means there is a delicate line that needs to be straddled between how security is handling current threats, and what it plans to be doing in the future.

"We've spent a lot of time looking at our vision. Where are we going? What is our strategy?" said Koppel. "It's really hard for security people because we are reactive. We can get caught up just fighting the fire. But we also have very clear projects."

She said she strives to always maintain a relationship with her team that requires them all to be forward thinking.

"I think the mistake some people fall into is dealing with the latest. Let me deal with what's my plate now. Then I'll fit in the proactive stuff. But you get analysis paralysis. You don't make any progress on making life better for the company or yourself. How do you catch that soon enough so you don't waste a lot of time not making life better?"

We speak to three IT security veterans to learn how to communicate your security strategy in a business. Here they tell us what not to do if you want to get everyone on board.

Mistake 2: Neglecting to relate security to everyone

Koppel believes everyone in an organisation, not just the security team, needs to understand how security is working for them. That means listening to user pain points and creating solutions with that in mind.

In a recent initiative to implement an identity management solution, Koppel and her team focused on issues users with having with the existing infrastructure before going forward: "Issues like getting access quickly, synchronising passwords, and allowing them to use applications less frequently without losing access. By looking at all those things, we made their work easier."

The result was giving users one place to go and synchronising all passwords across multiple applications. Koppel said while the new system wasn't the platinum standard from a security perspective, it significantly improved the security situation throughout Kohler. That's because while users only had to have one password, it was required to be a strong password, something many were neglecting to use before.

"Now when I sit down with people throughout the company and tell them I'm the person behind it, they say 'Oh, you're the one!' and are usually very pleased," said Koppel. "If we can solve problems for the user, we can also give them tighter security controls and they don't mind."

Mistake 3: Failing to understand cultural differences

Roger Dixon, head of information security with global investment-management company Invesco, is responsible for a security department that spans the world.

"My team is scattered around the globe," he explained. "When communicating you always have language challenges. And every region is under different pressures within that position."

Dixon said culture differences mean his messages need to be conveyed in multiple ways to avoid offense or misunderstandings. A message that may be straightforward in North America can be seen in an entirely different light in other countries. A one-size-fits-all approach will cause problems, he said.

"You may have improper activity, a policy violation occurring somewhere in the business and you need to put out a message to address that," he said. "In North America you could get away with a 'cease and desist' message to stop the activity. But a 'cease and desist' has a slightly different connotation when you use it in the UK. In the UK they would see it as a legal term. To employees there it could be seen as the IT security department putting on airs with a legal term for a simple policy violation. Where you can get away with a stronger term in the States, it doesn't necessarily go over in other cultures."

Dixon said it is paramount to draw upon employees within different regions to help communicate in an area-appropriate fashion.

We speak to three IT security veterans to learn how to communicate your security strategy in a business. Here they tell us what not to do if you want to get everyone on board.

Mistake 4: Failing to make the business case for security

As security's profile in business has risen significantly in the last decade, so has the status of the CSO (chief security officer) among executives. But Dixon said that despite the increased emphasis on security, executives and employees alike glaze over when technical talk begins. People outside the security department are simply looking for someone to give it to them in terms they can understand, he said.

"They expect to bring a security question to security and get an answer that relates to the business, not how it relates to IT," he says. "You need to be able to present and bring security across all areas of the organisation."

Dixon said he finds the most success when he takes the approach of simply explaining to others what risk they face, and what the potential outcome might be for not taking the path security lays out. Koppel echoes Dixon's thoughts and said she is always working to convey the message that security understands the bigger picture of business.

"We are looking at all business processes," she said. "We're not just putting in a firewall and trying to prevent them from doing what they need to do."

Mistake 5: Neglecting to realise that timing is key

"The biggest lesson I've learned is timing," said John Kirkwood, Global CISO of Royal Ahold.

Before his current job, Kirkwood worked at American Express and Credit Suisse. He remembers a time when his security message was ignored by most - then the September 11 terrorist attacks occurred. Several high-profile viruses made their impact soon after. Those who once ignored him think he's pretty smart now, said Kirkwood. But rather than feeling a sense of smug satisfaction, he said it's taught him something about picking battles.

"If you say the right thing to the right person at the right time you will get a lot of movement," he says. "If you aren't cognisant of when an organisation is receptive, you will find that your message will be lost."

Kirkwood points to PCI-related technology as an example, and said he knew for many years it was something organisations should be investing in for their own protection. But it wasn't until compliance requirements heated up and breaches became headlines that business began to have an interest.

"A few years ago, if I said we need to spend a few million to do this, I would have been a pariah. Some people call global information security the 'Man of La Mancha' role. You're always tilting at windmills. But if you pick your battles according to timing, you'll be extremely successful. You can't fight everything every day."

We speak to three IT security veterans to learn how to communicate your security strategy in a business. Here they tell us what not to do if you want to get everyone on board.

Mistake 6: Forgetting that your role changes frequently

Kirkwood said he mentally prepares for meetings by going over emails, figuring out what role he will be called up to play among co-workers that day, and tailoring his approach accordingly.

"Am I going to be a leader, an advisor? Or maybe a publisher of bad news? It varies, but I don't have to be the leader in all cases. I don't have to be the teacher or the advisor in all cases. But I have to have that ability because I will be asked to do those different roles at different times."

Koppel agrees. She said she requires her team to know more than security if they want to work for her because they will play different roles throughout the company as security representatives.

"They need to understand networks, to understand numerous things. Because of that, they can often come in and let me know if non-technical groups are trying to solve things in backward ways, or perhaps not understanding the choices they are making with some of the vendors they are working with. Then we can come in and not only address security, but try and make it a better solution and process."

Mistake 7: Failing to recognise when communication is a waste of your time

Sometimes you can make every effort at effective communication, but it won't make a bit of difference. That's because there are times when being a good security leader means understanding communicating isn't worth your energy.

Dixon said he spent two years in a position, banging his head against the wall, trying to communicate security's importance, only to find leadership couldn't care less. Dixon felt the organisation was really just looking for a figurehead to fire when something went wrong, so he left.

"I didn't follow my gut and spent two years not being able to do what I needed to do," said Dixon. "When you are doing [job] interviews and discussing what the business is, unless the company and management has some understanding and support for security, it doesn't matter how good you are, you aren't going to get anywhere with security."